Controls

List Controls

Find Controls matching the provided filters.

🔒 Requires Controls: List Controls permission.

Securitybearer
Request
path Parameters
workspaceId
required
number

The Workspace ID associated to the Account

query Parameters
cursor
string

This parameter is used to paginate through results. No value is needed for the first request. If there are additional results, the response will contain a pagination.cursor value that can be used in the subsequent request to retrieve the next page of results

size
number [ 1 .. 50 ]
Default: 20

Number of results to return

sort
string (SortTypeLimitedEnum)

Which field to sort by

Enum: "createdAt" "updatedAt"
sortDir
string (SortDirectionEnum)

The direction to sort the data

Enum: "ASC" "DESC"
expand[]
Array of strings (ControlsExpandEnum)

List of subcollections and sub-objects to expand

Items Enum: "customFields" "frameworkTags" "requirements"
isMonitored
boolean

Filter Controls that have or do not have a Monitor

Example: isMonitored=false
isReady
boolean

Filter Controls that are or are not ready

Example: isReady=false
hasEvidence
boolean

Filter to Controls with or without Evidence

Example: hasEvidence=true
hasPolicy
boolean

Filter to Controls with or without Policy

Example: hasPolicy=true
hasPassingTest
boolean

Filter to Controls with at least one passing Test

Example: hasPassingTest=true
ticketStatus
string

Only include Controls with an associated Task Management Ticket

Enum: "IN_PROGRESS" "ARCHIVED"
Example: ticketStatus=0
Responses
200

Successful

400

Malformed data and/or validation errors

401

Invalid Authorization

402

You must upgrade your plan to use this feature

403

You are not allowed to perform this action

404

Not Found

412

You must accept the Drata terms and conditions to use the API

500

Internal server error

get/workspaces/{workspaceId}/controls
Request samples 
Response samples 
application/json
{
  • "data": [
    • {
      • "id": "123",
      • "name": "Databases Monitored and Alarmed",
      • "code": "DCF-1002",
      • "slug": "databases-monitored-and-alarmed",
      • "description": "Drata has implemented tools to monitor Drata's databases and notify appropriate personnel of any events or incidents based on\n             predetermined criteria. Incidents are escalated per policy.",
      • "question": "Does the organization implement tools to monitor its databases and notify appropriate personnel of incidents based on predetermined\n             criteria?",
      • "activity": "Ensure tools are implemented to monitor databases",
      • "archivedAt": "2025-07-01T16:45:55.246Z",
      • "frameworkTags": [
        • "SOC_2"
        ],
      • "topics": [
        • 1,
        • 2
        ],
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z",
      • "controlTemplateId": "123",
      • "flags": {
        • "hasEvidence": true,
        • "hasPolicy": true,
        • "isReady": "true",
        • "hasTicket": "true",
        • "hasOwner": false,
        • "isMonitored": false
        },
      • "owners": [
        • {
          • "id": 1,
          • "email": "[email protected]",
          • "firstName": "Sally",
          • "lastName": "Smith",
          • "createdAt": "2025-07-01T16:45:55.246Z",
          • "updatedAt": "2025-07-01T16:45:55.246Z"
          }
        ],
      • "requirements": [
        • {
          • "createdAt": "2020-07-06",
          • "description": "The entity demonstrates a commitment to integrity and ethical values.",
          • "frameworkName": "SOC 2",
          • "frameworkPill": "SOC 2",
          • "frameworkSlug": "SOC 2",
          • "frameworkTag": "SOC_2",
          • "id": "58",
          • "name": "PI1.2",
          • "updatedAt": "2020-07-06",
          • "additionalInfo": "The entity demonstrates a commitment to integrity.",
          • "additionalInfo2": "The entity demonstrates a commitment to ethical values.",
          • "additionalInfo3": "The entity demonstrates a commitment to enforcing policies.",
          • "archivedAt": "2020-07-06",
          • "externalId": "SOC 2",
          • "longDescription": "The entity demonstrates a commitment to integrity and ethical values.",
          • "rationale": "This requirement is not needed."
          }
        ],
      • "customFields": [
        • {
          • "customFieldId": 1,
          • "name": "Stakeholders",
          • "value": "Security & IT"
          }
        ]
      }
    ],
  • "pagination": {
    • "cursor": "string"
    }
}
Create Control
Create a new custom Control


🔒 Requires Controls: Create Control permission.


Securitybearer 
Request 
path Parameters
workspaceId
required
number
The Workspace ID associated to the Account


 
Request Body schema: 
required
name
required
string  <= 191 characters 
The name of the Control


 
description
required
string  <= 30000 characters 
The description of the Control


 
question
string  <= 768 characters 
The question of the Control


 
code
string  <= 20 characters 
The Control code


 
activity
string  <= 768 characters 
The activity of the Control


 
Array of objects (CustomFieldSubmitRequestPublicV2Dto) 
Custom Fields for the Control


 
reportIds
Array of numbers
Array of Report IDs


 
policyIds
Array of numbers
Array of Policy IDs


 
requirementIds
Array of numbers
Array of Requirement IDs


 
ownersIds
Array of numbers
Array of User IDs to make owners of the Control


 
testIds
Array of numbers
Array of Control Test IDs


 
externalEvidence
Array of strings <binary> 
External evidence files


 
externalEvidenceMetadata
string
JSON string of metadata of uploaded evidence


 
base64Files
string
JSON string with array of external evidence in Base64 format.


 
Responses 
201
Created


400
Malformed data and/or validation errors


401
Invalid Authorization


402
You must upgrade your plan to use this feature


403
You are not allowed to perform this action


404
Not Found


412
You must accept the Drata terms and conditions to use the API


413
The file was too large to upload


500
Internal server error


503
Third party system was unavailable


post/workspaces/{workspaceId}/controls
Request samples 
No sample
Response samples 
application/json
{
  • "id": "123",
  • "name": "Databases Monitored and Alarmed",
  • "code": "DCF-1002",
  • "slug": "databases-monitored-and-alarmed",
  • "description": "Drata has implemented tools to monitor Drata's databases and notify appropriate personnel of any events or incidents based on\n             predetermined criteria. Incidents are escalated per policy.",
  • "question": "Does the organization implement tools to monitor its databases and notify appropriate personnel of incidents based on predetermined\n             criteria?",
  • "activity": "Ensure tools are implemented to monitor databases",
  • "archivedAt": "2025-07-01T16:45:55.246Z",
  • "frameworkTags": [
    • "SOC_2"
    ],
  • "topics": [
    • 1,
    • 2
    ],
  • "createdAt": "2025-07-01T16:45:55.246Z",
  • "updatedAt": "2025-07-01T16:45:55.246Z",
  • "controlTemplateId": "123",
  • "flags": {
    • "hasEvidence": true,
    • "hasPolicy": true,
    • "isReady": "true",
    • "hasTicket": "true",
    • "hasOwner": false,
    • "isMonitored": false
    },
  • "owners": [
    • {
      • "id": 1,
      • "email": "[email protected]",
      • "firstName": "Sally",
      • "lastName": "Smith",
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z"
      }
    ],
  • "requirements": [
    • {
      • "createdAt": "2020-07-06",
      • "description": "The entity demonstrates a commitment to integrity and ethical values.",
      • "frameworkName": "SOC 2",
      • "frameworkPill": "SOC 2",
      • "frameworkSlug": "SOC 2",
      • "frameworkTag": "SOC_2",
      • "id": "58",
      • "name": "PI1.2",
      • "updatedAt": "2020-07-06",
      • "additionalInfo": "The entity demonstrates a commitment to integrity.",
      • "additionalInfo2": "The entity demonstrates a commitment to ethical values.",
      • "additionalInfo3": "The entity demonstrates a commitment to enforcing policies.",
      • "archivedAt": "2020-07-06",
      • "externalId": "SOC 2",
      • "longDescription": "The entity demonstrates a commitment to integrity and ethical values.",
      • "rationale": "This requirement is not needed."
      }
    ],
  • "customFields": [
    • {
      • "customFieldId": 1,
      • "name": "Stakeholders",
      • "value": "Security & IT"
      }
    ]
}
Get Control
Get all the information for a specific Control


🔒 Requires Controls: Get Control permission.


Securitybearer 
Request 
path Parameters
workspaceId
required
number
The Workspace ID associated to the Account


 
controlId
required
number
 
query Parameters
cursor
string
This parameter is used to paginate through results. No value is needed for the first request. If there are additional results, the response will contain a pagination.cursor value that can be used in the subsequent request to retrieve the next page of results


 
size
number  [ 1 .. 50 ] 
 Default:  20
Number of results to return


 
sort
string (SortTypeLimitedEnum) 
Which field to sort by


 Enum: "createdAt" "updatedAt"  
sortDir
string (SortDirectionEnum) 
The direction to sort the data


 Enum: "ASC" "DESC"  
expand[]
Array of strings (ControlExpandEnum) 
List of subcollections and sub-objects to expand


Items Enum: "customFields" "frameworkTags" "requirements"  
Responses 
200
Successful


400
Malformed data and/or validation errors


401
Invalid Authorization


402
You must upgrade your plan to use this feature


403
You are not allowed to perform this action


404
Not Found


412
You must accept the Drata terms and conditions to use the API


500
Internal server error


get/workspaces/{workspaceId}/controls/{controlId}
Request samples 
Response samples 
application/json
{
  • "id": "123",
  • "name": "Databases Monitored and Alarmed",
  • "code": "DCF-1002",
  • "slug": "databases-monitored-and-alarmed",
  • "description": "Drata has implemented tools to monitor Drata's databases and notify appropriate personnel of any events or incidents based on\n             predetermined criteria. Incidents are escalated per policy.",
  • "question": "Does the organization implement tools to monitor its databases and notify appropriate personnel of incidents based on predetermined\n             criteria?",
  • "activity": "Ensure tools are implemented to monitor databases",
  • "archivedAt": "2025-07-01T16:45:55.246Z",
  • "frameworkTags": [
    • "SOC_2"
    ],
  • "topics": [
    • 1,
    • 2
    ],
  • "createdAt": "2025-07-01T16:45:55.246Z",
  • "updatedAt": "2025-07-01T16:45:55.246Z",
  • "controlTemplateId": "123",
  • "flags": {
    • "hasEvidence": true,
    • "hasPolicy": true,
    • "isReady": "true",
    • "hasTicket": "true",
    • "hasOwner": false,
    • "isMonitored": false
    },
  • "owners": [
    • {
      • "id": 1,
      • "email": "[email protected]",
      • "firstName": "Sally",
      • "lastName": "Smith",
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z"
      }
    ],
  • "requirements": [
    • {
      • "createdAt": "2020-07-06",
      • "description": "The entity demonstrates a commitment to integrity and ethical values.",
      • "frameworkName": "SOC 2",
      • "frameworkPill": "SOC 2",
      • "frameworkSlug": "SOC 2",
      • "frameworkTag": "SOC_2",
      • "id": "58",
      • "name": "PI1.2",
      • "updatedAt": "2020-07-06",
      • "additionalInfo": "The entity demonstrates a commitment to integrity.",
      • "additionalInfo2": "The entity demonstrates a commitment to ethical values.",
      • "additionalInfo3": "The entity demonstrates a commitment to enforcing policies.",
      • "archivedAt": "2020-07-06",
      • "externalId": "SOC 2",
      • "longDescription": "The entity demonstrates a commitment to integrity and ethical values.",
      • "rationale": "This requirement is not needed."
      }
    ],
  • "customFields": [
    • {
      • "customFieldId": 1,
      • "name": "Stakeholders",
      • "value": "Security & IT"
      }
    ]
}
Modify Control
🔒 Requires Controls: Update Control permission.


Securitybearer 
Request 
path Parameters
workspaceId
required
number
The Workspace ID associated to the Account


 
controlId
required
number
 
Request Body schema: application/json
required
name
required
string  <= 191 characters 
The name of the Control


 
description
required
string  <= 30000 characters 
The description of the Control


 
question
string  <= 768 characters 
The question of the Control


 
code
string  <= 20 characters 
The Control code


 
activity
string  <= 768 characters 
The activity of the Control


 
Array of objects (CustomFieldSubmitRequestPublicV2Dto) 
Custom Fields for the Control


 
Responses 
200
Successful


400
Malformed data and/or validation errors


401
Invalid Authorization


402
You must upgrade your plan to use this feature


403
You are not allowed to perform this action


404
Not Found


412
You must accept the Drata terms and conditions to use the API


500
Internal server error


put/workspaces/{workspaceId}/controls/{controlId}
Request samples 
application/json
{
  • "name": "Quarterly User Access Reviews",
  • "description": "Access to critical systems is reviewed on a quarterly basis to ensure that only authorized users retain access.",
  • "question": "A very good question",
  • "code": "DRA-69",
  • "activity": "On a quarterly schedule, generate access reports from identity providers.",
  • "customFields": [
    • {
      • "id": 1,
      • "name": "Compliance Status",
      • "value": "Security & IT"
      }
    ]
}
Response samples 
application/json
{
  • "id": "123",
  • "name": "Databases Monitored and Alarmed",
  • "code": "DCF-1002",
  • "slug": "databases-monitored-and-alarmed",
  • "description": "Drata has implemented tools to monitor Drata's databases and notify appropriate personnel of any events or incidents based on\n             predetermined criteria. Incidents are escalated per policy.",
  • "question": "Does the organization implement tools to monitor its databases and notify appropriate personnel of incidents based on predetermined\n             criteria?",
  • "activity": "Ensure tools are implemented to monitor databases",
  • "archivedAt": "2025-07-01T16:45:55.246Z",
  • "frameworkTags": [
    • "SOC_2"
    ],
  • "topics": [
    • 1,
    • 2
    ],
  • "createdAt": "2025-07-01T16:45:55.246Z",
  • "updatedAt": "2025-07-01T16:45:55.246Z",
  • "controlTemplateId": "123",
  • "flags": {
    • "hasEvidence": true,
    • "hasPolicy": true,
    • "isReady": "true",
    • "hasTicket": "true",
    • "hasOwner": false,
    • "isMonitored": false
    },
  • "owners": [
    • {
      • "id": 1,
      • "email": "[email protected]",
      • "firstName": "Sally",
      • "lastName": "Smith",
      • "createdAt": "2025-07-01T16:45:55.246Z",
      • "updatedAt": "2025-07-01T16:45:55.246Z"
      }
    ],
  • "requirements": [
    • {
      • "createdAt": "2020-07-06",
      • "description": "The entity demonstrates a commitment to integrity and ethical values.",
      • "frameworkName": "SOC 2",
      • "frameworkPill": "SOC 2",
      • "frameworkSlug": "SOC 2",
      • "frameworkTag": "SOC_2",
      • "id": "58",
      • "name": "PI1.2",
      • "updatedAt": "2020-07-06",
      • "additionalInfo": "The entity demonstrates a commitment to integrity.",
      • "additionalInfo2": "The entity demonstrates a commitment to ethical values.",
      • "additionalInfo3": "The entity demonstrates a commitment to enforcing policies.",
      • "archivedAt": "2020-07-06",
      • "externalId": "SOC 2",
      • "longDescription": "The entity demonstrates a commitment to integrity and ethical values.",
      • "rationale": "This requirement is not needed."
      }
    ],
  • "customFields": [
    • {
      • "customFieldId": 1,
      • "name": "Stakeholders",
      • "value": "Security & IT"
      }
    ]
}
List Requirements for Control
Find Control Requirements matching the provided filters.


🔒 Requires Controls: Get Control permission.


Securitybearer 
Request 
path Parameters
workspaceId
required
number
The Workspace ID associated to the Account


 
controlId
required
number
 
query Parameters
cursor
string
This parameter is used to paginate through results. No value is needed for the first request. If there are additional results, the response will contain a pagination.cursor value that can be used in the subsequent request to retrieve the next page of results


 
size
number  [ 1 .. 50 ] 
 Default:  20
Number of results to return


 
sort
string (SortTypeLimitedEnum) 
Which field to sort by


 Enum: "createdAt" "updatedAt"  
sortDir
string (SortDirectionEnum) 
The direction to sort the data


 Enum: "ASC" "DESC"  
frameworkTag
Array of strings
Filter data by controls associated with these framework tags


Items Enum: "NONE" "SOC_2" "ISO27001" "CCPA" "GDPR" "HIPAA" "PCI" "SCF" "NIST80053" "NISTCSF" "CMMC" "NIST800171" "MSSSPA" "FFIEC" "ISO27701" "COBIT" "SOX_ITGC" "ISO270012022" "CCM" "CYBER_ESSENTIALS" "ISO270172015" "ISO270182019" "FEDRAMP" "NISTAI" "PCI4" "NISTCSF2" "NIS2" "DORA" "ISO420012023" "DRATA_ESSENTIALS" "NIST800171R3" "CIS8" "CYBER_ESSENTIALS_32" "FEDRAMP20X" "HITRUST" "CUSTOM"  
 Example:  frameworkTag=SOC_2&frameworkTag=ISO27001
excludeIds
Array of numbers
Exclude requirements by array of IDs


 
 Example:  
frameworkSlug
string
Filter data by controls associated with these framework slugs. This parameter is intended to be used only for custom frameworks


 
 Example:  frameworkSlug=slug
Responses 
200
Successful


400
Malformed data and/or validation errors


401
Invalid Authorization


402
You must upgrade your plan to use this feature


403
You are not allowed to perform this action


404
Not Found


412
You must accept the Drata terms and conditions to use the API


500
Internal server error


get/workspaces/{workspaceId}/controls/{controlId}/requirements
Request samples 
Response samples 
application/json
{
  • "data": [
    • {
      • "createdAt": "2020-07-06",
      • "description": "The entity demonstrates a commitment to integrity and ethical values.",
      • "frameworkName": "SOC 2",
      • "frameworkPill": "SOC 2",
      • "frameworkSlug": "SOC 2",
      • "frameworkTag": "SOC_2",
      • "id": "58",
      • "name": "PI1.2",
      • "updatedAt": "2020-07-06",
      • "additionalInfo": "The entity demonstrates a commitment to integrity.",
      • "additionalInfo2": "The entity demonstrates a commitment to ethical values.",
      • "additionalInfo3": "The entity demonstrates a commitment to enforcing policies.",
      • "archivedAt": "2020-07-06",
      • "externalId": "SOC 2",
      • "longDescription": "The entity demonstrates a commitment to integrity and ethical values.",
      • "rationale": "This requirement is not needed."
      }
    ],
  • "pagination": {
    • "cursor": "string"
    }
}